Stories by Lucian Constantin

Google discloses another unpatched Windows flaw, irritates Microsoft

Google released details of a second unpatched privilege escalation flaw in Windows 8.1 in less than a month, drawing criticism from Microsoft.

OpenSSL patches eight new vulnerabilities

Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks.

Exploit allows Asus routers to be hacked from local network

A vulnerability in Asuswrt, the firmware running on many wireless router models from Asustek Computer, allows attackers to completely compromise the affected devices. Malicious hackers, however, need to launch their attacks from within the local networks served by the vulnerable routers.

Apple blocks tool that brute-forces iCloud passwords

Apple has fixed an issue that could have allowed attackers to launch brute-force attacks against iCloud users in order to guess their passwords.

Macro-based malware is making a comeback, researchers warn

For the past several months, different groups of attackers have distributed malware through Microsoft Office documents that contain malicious macros, reviving a technique that has been out of style for over a decade.

Moonpig jeopardizes data of millions of customers through insecure API

Moonpig, a large online seller of personalized greeting cards and gifts, shut down its mobile apps Tuesday because of a security weakness that could have given hackers access to customer information.

Gogo inspects secure Web traffic in attempt to limit in-flight video streaming

In-flight Internet provider Gogo is inspecting its users' traffic exchanged with secure sites by replacing those sites' HTTPS certificates with self-signed ones.

Free tool automates phishing attacks for Wi-Fi passwords

A new open-source tool can be used to launch phishing attacks against users of wireless networks in order to steal their Wi-Fi access keys.

Think that software library is safe to use? Not so fast!

In today's world of agile software development and fast release cycles, developers increasingly rely on third-party libraries and components to get the job done. Since many of those libraries come from long-running, open-source projects, developers often assume they're getting well-written, bug-free code. They're wrong.

Romanian version of EU cybersecurity directive allows warrantless access to data

More than a dozen Romanian non-governmental organizations are protesting new cybersecurity legislation passed by the parliament last week that would force businesses to provide the country's national intelligence agencies with access to their data without a court warrant.

Thunderbolt devices can infect MacBooks with persistent rootkits

Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface.

Flaw in open-source PDF viewer could put WikiLeaks users, others at risk

An open-source component used to display PDF files on WikiLeaks.org and other websites contains vulnerabilities that could be exploited to launch cross-site scripting (XSS) and content spoofing attacks against visitors.

Two-factor authentication oversight led to JPMorgan breach, investigators reportedly found

The attackers who stole information about 83 million JPMorgan Chase customers earlier this year gained a foothold on the company's network because a server reportedly lacked two-factor authentication.

Cybercrime group steals millions from Russian banks, targets US and European retailers

A sophisticated group of cybercriminals has stolen over US$25 million by hacking into the infrastructure of numerous financial institutions in Russia and former Soviet Union countries, as well as into point-of-sale systems belonging to U.S. and European retailers.

Exploits for dangerous network time protocol vulnerabilities can compromise systems

Remote code execution vulnerabilities in the standard implementation of the network time protocol (NTP) can be exploited by attackers to compromise servers, embedded devices and even critical infrastructure systems that run UNIX-like operating systems.